Error when routing data to index and sourcetype ba...

a212830 · ‎11-29-2017

Hi,

I'm trying to route data to different indexes and sourcetypes based upon hosts coming, but getting errors, and uncertain why. The errors are:

Undocumented key used in transforms.conf; stanza='ise2_index_override' setting='DEST_KEY' key='MetaData:Index'
Undocumented key used in transforms.conf; stanza='ise_index_override' setting='DEST_KEY' key='MetaData:Index'
Undocumented key used in transforms.conf; stanza='pep_index_override' setting='DEST_KEY' key='MetaData:Index'
Undocumented key used in transforms.conf; stanza='pf_index_override' setting='DEST_KEY' key='MetaData:Index'

Inputs (udp feed)
[udp://10515]
connection_host = dns
index = main
sourcetype = temp10515_syslog

Props.conf:
[temp10515_syslog]
ANNOTATE_PUNCT = false
KV_MODE = AUTO
LINE_BREAKER = ([\r\n]+)
NO_BINARY_CHECK = 1
SHOULD_LINEMERGE = false
TRANSFORM-10515sourcetype_and_index_override = ise2_index_override, ise2_sourcetype_override, pf_index_override, pf_sourcetype_override

Transforms.conf:
[ise2_sourcetype_override]
DEST_KEY = MetaData:Sourcetype
REGEX = (%ISE)
FORMAT = sourcetype::cisco:ise:syslog

[ise2_index_override]
DEST_KEY = MetaData:Index
REGEX = (%ISE)
FORMAT = network90

[pf_sourcetype_override]
DEST_KEY = MetaData:Sourcetype
REGEX = (%PF)
FORMAT = sourcetype::netscreen_syslog

[pf_index_override]
DEST_KEY = MetaData:Index
REGEX = (%PF)
FORMAT = network

damien_chillet · ‎11-29-2017

DEST_KEY for index should be

_MetaData:Index : The index where the event should be stored. (Notice the underscore prefix)

(http://docs.splunk.com/Documentation/Splunk/7.0.0/Admin/Transformsconf)

woodcock · ‎11-29-2017

Yes, this one is special.

sloshburch · ‎11-30-2017

@damien_chillet FTW! Accept this answer @a212830 and make it rain karma!

Error when routing data to index and sourcetype based upon incoming hosts: "Undocumented key used in transforms.conf"

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >

Error when routing data to index and sourcetype based upon incoming hosts: "Undocumented key used in transforms.conf"

Free LIVE events worldwide 2/8-2/12Connect, learn, and collect rad prizes and swag!Sign up now >

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!

Sign up now >